The vulnerability is an SQL injection flaw arising from improper neutralization of special elements in SQL statements within the WC Lovers WCFM Marketplace plugin. The updated description confirms that user‑supplied input can be incorporated directly into database queries, allowing an attacker to execute arbitrary SQL code. This can result in unauthorized reading, modification, or deletion of database records, compromising confidentiality and integrity of stored data.

The issue affects the WC Lovers WCFM Marketplace WordPress plugin for all versions up to and including 3.7.1. Users operating the plugin within this version range are at risk.

The CVSS score of 7.6 reflects a high severity condition, indicating a significant threat if exploited. The EPSS score of 0.00036 (under 1%) indicates a very low probability of exploitation. Since the vulnerability is not listed in the CISA KEV catalog, no confirmed exploits are noted in that database. The likely attack vector is a web‑based request that passes unfiltered input to the database, and it requires the attacker to have a way to supply crafted payloads via the affected plugin’s exposed interfaces. If successful, the attacker could gain unauthorized database access, leading to data breach or alteration.